Sign up for our weekly security newsletter

New Research found that Flame Malware has Minimum Three Siblings

Flame, which is the malware linked to the well known Stuxnet that hardly hit Iranian nuclear systems in 2010, is supposed to have three siblings running in the wild, as per a new research by security firm, Kaspersky Labs.

Kaspersky in collaboration with international telecommunication Union's IMPACT Alliance, CERT-Bund/BSI, and Symantec , examined several command and control(C&C) servers used by Flame's creators, leading to foundation of three malicious programs still running wild.

Analysis also found that minimum four developers are on the team for the attack, each at different stages of expertise. Additional confirmation was also made that complicated cryptography is utilized to encrypt data because it is sent between the victim's machines and the C&C servers. The code of C&C also controls three communications protocols, and researchers experience, which is the proof of a fourth protocol under development.

Chief security expert at Kaspersky Lab, Alexander Gostev claimed these discoveries to be the examples of cyber espionage conducted on a large scale, according to the news published by pcmag.com on September 17, 2012.

"The professional terms like bot, botnet infection, malware-command or related in their control panel are not used by C&C developers. Instead they use usual words like data, upload, news, download, ads, client, blog, backup etc," as communicated by the company. "We believe this was intentionally done to betray hosting company sys-admins who might run unexpected checks".

In addition, the C&C panel was not formed to drive commands to the victim, rather, the attackers attached special tar.gz archives and scripts were developed by the server that extorted the archive contents. The scripts also encrypted all the files received from a zombie machine by a key which is further encrypted. No one except the attacker can access the files or decrypt them.

Interestingly, the four hackers also form four protocols which interact with different "clients," or parts of malware.

"A close view at these protocol handlers" disclosed four different type of client's codenamed including SP, FL, SPE, and IP. We can verify the flame malware as it was recognized as client type FL. Apparently, this shows that there is minimum three other undiscovered cyber-espionage or cyber sabotage tools formed by the similar authors SP, SPE and IP," as concluded by Kaspersky.